|
This Appendix provides a table that lists some basic problems and describes how to resolve them.
Scan the column on the left to identify the condition that you are trying to resolve; then carefully go through each of the corresponding recovery actions offered in the column on the right.
Remote Administrator cannot bring up CiscoSecure ACS from his or her browser or receives a warning that access is not permitted. |
|
Unauthorized users can log on. | Reject listed IP addresses is selected, but no Start or Stop IP Addresses are listed. Go to Administrator Control: Access Policy and enter the Start IP Address and Stop IP Address. |
Restart Services does not work. | The system is not responding. To manually restart services, on the Windows Start menu, click Control Panel: Services. Click CSAdmin, then Stop, then Start. |
Cannot install NDS database authentication. | Make sure Novell Requestor is installed on the same Windows NT server as the CiscoSecure ACS. |
No remote administrators can log on. | Allow only listed IP addresses to connect is selected, but no start or stop IP addresses are listed. Go to Administrator Control: Access Policy and enter the Start IP Address and Stop IP Address. |
The browser cannot bring up the CiscoSecure ACS interface. | Open Internet Explorer or Netscape Navigator and select the Help/About option from the menu in order to determine the version of the browser. You must be running Internet Explorer 3.02 or later or Netscape 3.01 or later. These are the only browsers supported by CiscoSecure ACS. |
The browser displays the Java message that your session connection is lost. | Check the idle time-out value for remote administrators. This is in the Administration Control window. Increase the value as needed. |
Under EXEC Commands, Cisco IOS commands are not being denied when checked. |
AAA Authorization Commands <0-15> TACACS+
|
Administrator has been locked out of the NAS as a result of an incorrect configuration being set-up in the NAS. | Try to connect directly to the NAS at the console port. If that is not successful, consult your NAS documentation or go to the Cisco web page for service/support regarding this condition. |
IETF RADIUS attributes supported in Cisco IOS. | Cisco incorporated RADIUS (IETF) attributes in Cisco IOS Release 11.1. However, there are a few attributes that are not yet supported or require a later version of the Cisco IOS software. The following attributes fall into this category:
Number--Attribute Supported
|
NAS times out when authenticating against Windows NT. | Increase the TACACS+ timeout interval from the default, 5, to 20. Set the Cisco IOS command as follows:
TACACS-SERVER TIMEOUT 20 |
RDBMS Synchronization is not operating properly | Make sure the correct server is listed in the Partners list. |
Database Replication not operating properly. | Make sure you have set the server correctly as either Send or Receive. Make sure the correct server is selected in the Accept Replication from dropdown box.
Replication checks only the IP address, not the secret key. The database will be replicated, but authentication forwarding will not work. Check the Failed Attempts report and make sure you entered the correct IP address. Make sure that the scheduling of replication on the sending CiscoSecure ACS is not conflicting with the schedule on the receiving CiscoSecure ACS. |
The external user database is not available in the Group Mapping section. | The external database has not been configured in External User Databases: Database Configuration. Click the applicable external database to configure. |
A dial-in user is unable to make a connection to the NAS.
No record of the attempt is displayed in either the TACACS+ or RADIUS Accounting Reports (click TACACS+ or RADIUS Accounting within Reports & Activity) or Failed Attempts Reports (click Failed Attempts within Reports & Activity). | Examine the CiscoSecure ACS Reports or NAS Debug output to help narrow the problem to a system error or a user error. Confirm the following:
|
A dial-in user is unable to make a connection to the NAS. The Windows NT User Database is being used for authentication. A record of a failed attempt is displayed in the Failed Attempts Report (clicking Failed Attempts within Reports & Activity).
| The user information is not properly configured for authentication in Windows NT or CiscoSecure ACS.
Confirm the Windows NT User Database resides on the same machine as CiscoSecure ACS. From the Windows NT User Manager, confirm the following:
From within the CiscoSecure ACS confirm the following:
Click External User Databases: List All Databases Configured and make sure that the database configuration for Windows NT is listed. Check the Unknown User Policy to make sure that Fail the Attempt is not checked. Check the Selected Databases box in the Unknown User Policy window. The Windows NT group the user belongs to has not been mapped to No Access. |
A dial-in user is unable to make a connection to the NAS.
The CiscoSecure ACS User Database is being used for authentication. A record of a failed attempt is displayed in the Failed Attempts Report (clicking Failed Attempts within Reports & Activity). | From within CiscoSecure ACS confirm the following:
|
A dial-in user is unable to make a connection to the NAS; however, a Telnet connection can be authenticated across the LAN. | This isolates the problem to one of three areas:
You can additionally verify CiscoSecure ACS connectivity as follows:
|
A dial-in user is unable to make a connection to the NAS, and a Telnet connection cannot be authenticated across the LAN.
|
|
When running debug aaa authentication on the NAS, a failure message is returned from CiscoSecure ACS.
| The configurations of the NAS or CiscoSecure ACS are likely to be at fault.
From within CiscoSecure ACS confirm the following:
From the NAS, confirm the following:
|
When running | This problem occurs because authorization rights are not correctly assigned.
If a specific attribute for TACACS+ or RADIUS is not displayed within the Group Setup section, this might indicate it has not been enabled in the Interface Configuration: TACACS+ (Cisco) or RADIUS |
Authentication Forwarding fails. | Make sure that the direction on the remote server is set to Incoming/Outgoing or Incoming, and that the direction on the authentication forwarding server is set to Incoming/Outgoing or Outgoing.
Make sure the shared secret (key) matches the shared secret of one or both CiscoSecure ACSes. Make sure the character string and delimiter match the stripping information configured in the distribution table, and the position is set correctly to either Prefix or Suffix. One or more servers is down, or no fallback server is configured. Go to Network Configuration and Configure a fallback server. Fallback servers will be used only under the following circumstances:
|
The following error message is displayed when attempting to upgrade or remove the CiscoSecure ACS:
The following file is invalid or the data is corrupted "DelsL1.isu" | From the Windows NT registry, delete the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CiscoSecure |
All previous accounting logs are missing. | If reinstalling or upgrading the CiscoSecure ACS software, the files are deleted unless moved to another directory location. |
CRYPTOAPI error when installing CiscoSecure ACS | If the Windows NT server has Service Pack 3 and Internet Explorer 4.0 installed, this error, which affects the encryption applet in the installation, will occur. |
Issue | Recovery Action and Explanation |
---|---|
Max Sessions over VPDN is not working. | The use of MaxSessions over VPDN is currently not supported. |
User Max Sessions fluctuates or is unreliable | Services were restarted, possibly because the connection between the CiscoSecure ACS and the NAS is unstable. Clear the single connect TACACS+ NAS checkbox. |
active.csv report is blank | You changed protocol configurations recently.
Whenever protocol configurations change, the existing active.csv report file is renamed to yyyy-mm-dd.csv, and a new, blank active.csv report is generated |
A report is blank | Make sure you have checked Log to reportname Report under System Configuration: Logging: Log Target: reportname.You must also set Network Configuration: servername: Access Server Type to CiscoSecure ACS for Windows NT. |
No Unknown User information is included in reports. | The Unknown User database was changed. Accounting reports will still contain unknown user information. |
Two entries are logged for one user session | Make sure that the Remote Logging configuration and the Send Accounting Information field in the Distribution Table are not configured to send accounting packets to the same location. |
You are unable to properly implement the SDI Token Server. | Step 1 Log into the Windows NT Server on which CiscoSecure ACS is installed. (Make sure your login account has administrative privileges.)
Step 2 The SDI Client software needs to be installed on the same Windows NT server as the CiscoSecure ACS. Step 3 Follow the setup instructions. Do not restart at the end of the installation. Step 4 Get the file named sdconf.rec located in the /data directory of the SDI ACE server. Step 5 Place sdconf.rec on the Windows NT Server in the %SystemRoot%\system32 directory. Step 6 Make sure you can ping the machine that is running the ACE server by host name. (You might need to add the machine in the lmhosts file.) Step 7 Support for SDI is enabled in the External User Database: Database Configuration window in the CiscoSecure ACS. Step 8 Run Test Authentication from the Windows NT Server control panel for the ACE/Client application. Step 9 From CiscoSecure ACS, install the token-card server. |
User authentication fails when using PAP | Outbound PAP is not enabled. If the Failed Attempts report shows that you are using outbound PAP, go to Interface Configuration and check Per-User Advanced TACACS+ Features. Then go to User Setup: Advanced TACACS+ Settings. Click TACACS+ Enable Control and enter and confirm a TACACS+ Outbound Password. |
Unknown users are not authenticated | Go to External User Databases: Unknown User Policy. Click the Check the following external user databases: radio button. From the External databases, click the database(s) against which to authenticate unknown users. Click the right arrow to add the database to the Selected Databases list. Click the Up or Down button to move the database into the desired position in the authentication hierarchy.
If you are using the CiscoSecure ACS Unknown User feature, external databases can authenticate using only PAP. |
User did not inherit settings from new group. | Users moved to a new group will inherit new group settings but will keep their existing user settings. Manually change the settings in User Settings. |
User can authenticate but authorizations are different than expected | Different vendors use different AV pairs. AV pairs not used in one vendor's protocol will be ignored by another vendors' protocol.
Make sure the user settings reflect the correct vendor protocol; for example, Cisco RADIUS. |
User cannot log in. | Re-enable the user account or reset the failed attempts counter. |
Authorization fails. | The retry interval is too short. (The default is 5 seconds.) Increase the retry interval (tacacs-server timeout 20) on the NAS to 20 or greater. |
User accounts become disabled when users dial in without authenticating | Incorrect keys are configured between CiscoSecure ACSes using RADIUS. |
|